Sign up or log in to save this to your schedule and see who's attending!

Software security maturity models such as OpenSAMM can be effective tools for organizations to use to understand the maturity of security practices within their development teams. But ambitious development timelines, limited resources, and a variety of competing priorities limit how frequently software security maturity models are actually used. Making matters worse, development cycles are being compressed in organizations where continuous integration or DevOps concepts are being embraced. Finally, organizations that have never conducted an OpenSAMM assessment are reluctant to spend so much time and energy to receive “zeros” on their OpenSAMM scorecard and confirm what they suspected in the first place – they have little or no security practices in their development environment.

OpenSAMM is effective for some organizations while others may be moving so fast or have so little security in place that the assessment is of dubious value. How can OpenSAMM remain relevant in a world where development occurs at near light speed? What adaptations are needed to provide a range of options to organization looking to measure their maturity levels and to benchmark their activities against peer organizations? How can you show value to development teams and business units quicker and in a more agile fashion?

Recent efforts to update OpenSAMM and to add benchmarking data are important and needed, but point to a greater need to streamline the process of assessments against the model. But organizations where speed is an imperative are demanding more flexible options the allow them to adapt the underlying concepts of the OpenSAMM, while minimizing the impact on software development production. The session will start with a quick overview of the status of the OpenSAMM project, including the efforts of the recent benchmarking initiative. These efforts are focused on updating the OpenSAMM model and providing comparative data that allows clients to understand their software security maturity compared to industry peers. The session will also provide a brief overview of where OpenSAMM can provide tremendous value in any application security program, when and where they should be used, and how security organizations should capitalize on their results.

The bulk of the session will focus on how organizations have had recent successes using a variety of strategies to insert SAMM concepts where development is occurring at breakneck speeds and security teams simply have little authority to review every development team. One strategy to be examined will be the use of a two-stage, or iterative process, to identify the highest concentration of risky development practices, followed by a scaled assessment process that focuses the majority of assessing activities on the development areas of most perceived risk.

In this approach, lightweight surveys are sent to multiple development teams to conduct a first-pass measurement of the riskiest development activities. This brief survey is followed by a quick risk ranking activity to identify which teams warrant priority assessments and to tailor the depth of follow-up assessments according to perceived risk.

Another major strategy involves leveraging existing technologies such as application vulnerability platforms or source code repositories to “self report” maturity improvement activities, lessening the burden on development teams while providing consistent updates to the security team monitoring security improvement. The presentation will outline how one can automate reporting on team maturity by capturing metrics such as frequency of testing, prevalence of certain types of vulnerabilities, and mean time to fix application vulnerabilities. The session will highlight how one can publish data across development teams to provide visibility, increase accountability, and encourage security improvements across the organization.